You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Dan Burkert (Code Review)" <ge...@cloudera.org> on 2016/11/07 22:37:10 UTC

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X 

Hello Todd Lipcon,

I'd like you to do a code review.  Please visit

    http://gerrit.cloudera.org:8080/4978

to review the following change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................

Misc. fixes for Kerberos compatibility on OS X

This commit makes a few changes in order to have better compatibility
with the system macOS Heimdal kerberos:

1. krb5kdc now uses UDP instead of TCP; the heimdal client library seems
   to have issues connecting via TCP.
2. The ticket cache is now the default FILE type instead of DIR. This
   has the downside of limiting our MiniKdc to one kinitted user, but
   heimdal apparently has issues with DIR, and FILE is expected to be how
   normal users will use Kerberos.
3. The SASL error string handling is special cased for the Heimdal
   errors on OS X.

sasl_rpc-test is still failing on macOS, but these changes get us a bit
closer to having it pass.

Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
---
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_rpc-test.cc
M src/kudu/security/test/mini_kdc-test.cc
M src/kudu/security/test/mini_kdc.cc
4 files changed, 28 insertions(+), 19 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/78/4978/1
-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 3:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/4978/3/src/kudu/rpc/sasl_common.cc
File src/kudu/rpc/sasl_common.cc:

Line 220: #if defined(__APPLE__)
Does it make sense to differentiate based on gss-api version instead?  E.g., using pkgconfig it might be possible to retrieve version of the package and put it into the compilation flags.

Or it's not related to the version of gss-api at all?


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1:

(3 comments)

http://gerrit.cloudera.org:8080/#/c/4978/1//COMMIT_MSG
Commit Message:

PS1, Line 14: 2. The ticket cache is now the default FILE type instead of DIR. This
            :    has the downside of limiting our MiniKdc to one kinitted user, but
            :    heimdal apparently has issues with DIR, and FILE is expected to be how
            :    normal users will use Kerberos.
Is this downside worth the trade-off? Seems like having multiple kinitted users is something we'd want to test at some point.

An alternative would be to disable Kerberos tests on macOS. Or maybe use FILE on macOS and DIR elsewhere.


http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/rpc/sasl_rpc-test.cc
File src/kudu/rpc/sasl_rpc-test.cc:

PS1, Line 285: get-pricipal
It's really not 'get-principal'?

Also, can we define the path centrally and use it both here and in test_util.cc?


http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/security/test/mini_kdc-test.cc
File src/kudu/security/test/mini_kdc-test.cc:

Line 47:   ASSERT_OK(kdc.Kinit("bob"));
Doesn't this contradict your commit description? I thought using a FILE cache meant that a single UNIX user could only kinit as one kerberos user?


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/4978/1//COMMIT_MSG
Commit Message:

PS1, Line 14: 2. The ticket cache is now the default FILE type instead of DIR. This
            :    has the downside of limiting our MiniKdc to one kinitted user, but
            :    heimdal apparently has issues with DIR, and FILE is expected to be how
            :    normal users will use Kerberos.
> Given that the FILE type cache is actually the default on Linux too, I thin
That's fair, but in effect this punts a certain class of testing out of integration testing and into system testing (where root access can be used to su to other UNIX users and kinit them).

As a project we're very much lacking in system tests, especially automated system tests. So how much will this hurt our test coverage? I'd expect one kinitted user per Kudu client instance, so this would prohibit kerberized multi-client integration tests?


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 3:

Why do we need to work with Heimdal implementation at all?  I though we are about to use MIT implementation on MacOS X as well.

-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/4978/1//COMMIT_MSG
Commit Message:

PS1, Line 14: 2. The ticket cache is now the default FILE type instead of DIR. This
            :    has the downside of limiting our MiniKdc to one kinitted user, but
            :    heimdal apparently has issues with DIR, and FILE is expected to be how
            :    normal users will use Kerberos.
> Is this downside worth the trade-off? Seems like having multiple kinitted u
Given that the FILE type cache is actually the default on Linux too, I think it's better to stick with that. DIR is an odd thing I've never seen used in practice (I don't think Java even supports it)


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/rpc/sasl_rpc-test.cc
File src/kudu/rpc/sasl_rpc-test.cc:

PS1, Line 285: get-pricipal
> If it's too weird, just convert this into a std::string. It's a unit test s
Done


http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/security/test/mini_kdc-test.cc
File src/kudu/security/test/mini_kdc-test.cc:

Line 47:   ASSERT_OK(kdc.Kinit("bob"));
> Can we confirm that in the test? By ensuring the alice@KRBTEST.COM isn't in
Done


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 3:

The gssapi implementation on macOS uses the system heimdal library.

-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/rpc/sasl_rpc-test.cc
File src/kudu/rpc/sasl_rpc-test.cc:

PS1, Line 285: get-pricipal
> Yah this seems to be a typo in Heimdal.
If it's too weird, just convert this into a std::string. It's a unit test so string literal vs. std::string doesn't really matter.


http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/security/test/mini_kdc-test.cc
File src/kudu/security/test/mini_kdc-test.cc:

Line 47:   ASSERT_OK(kdc.Kinit("bob"));
> bob overwrites alice here, so alice is no longer kinit'd
Can we confirm that in the test? By ensuring the alice@KRBTEST.COM isn't in the klist output?


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1: Code-Review+2

-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Hello Todd Lipcon, Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/4978

to look at the new patch set (#3).

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................

Misc. fixes for Kerberos compatibility on OS X

This commit makes a few changes in order to have better compatibility
with the system macOS Heimdal kerberos:

1. krb5kdc now uses UDP instead of TCP; the heimdal client library seems
   to have issues connecting via TCP.
2. The ticket cache is now the default FILE type instead of DIR. This
   has the downside of limiting our MiniKdc to one kinitted user, but
   heimdal apparently has issues with DIR, and FILE is expected to be how
   normal users will use Kerberos.
3. The SASL error string handling is special cased for the Heimdal
   errors on OS X.

sasl_rpc-test is still failing on macOS, but these changes get us a bit
closer to having it pass.

Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
---
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_rpc-test.cc
M src/kudu/security/test/mini_kdc-test.cc
M src/kudu/security/test/mini_kdc.cc
M src/kudu/util/test_util.cc
M src/kudu/util/test_util.h
6 files changed, 35 insertions(+), 21 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/78/4978/3
-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 3: Code-Review+2

-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 3:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/4978/3/src/kudu/rpc/sasl_common.cc
File src/kudu/rpc/sasl_common.cc:

Line 220: #if defined(__APPLE__)
> Does it make sense to differentiate based on gss-api version instead?  E.g.
I'm not sure what the relation is to gss-api, for now I think this is the simplest way forward.  If we end up some how linking to an alternate gssapi implementation on macOS we can revisit.


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 1:

(3 comments)

http://gerrit.cloudera.org:8080/#/c/4978/1//COMMIT_MSG
Commit Message:

PS1, Line 14: 2. The ticket cache is now the default FILE type instead of DIR. This
            :    has the downside of limiting our MiniKdc to one kinitted user, but
            :    heimdal apparently has issues with DIR, and FILE is expected to be how
            :    normal users will use Kerberos.
> That's fair, but in effect this punts a certain class of testing out of int
Right now we have no tests that rely on multiple kinit'd users, except for the unit test which I modified.  In the future we could keep separate FILE type ticket locations for each individual client we want to kinit, but they would have to be in separate processes.


http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/rpc/sasl_rpc-test.cc
File src/kudu/rpc/sasl_rpc-test.cc:

PS1, Line 285: get-pricipal
> It's really not 'get-principal'?
Yah this seems to be a typo in Heimdal.

Is it possible to splice in a constant to a literal const char*?  I've never seen that done.


http://gerrit.cloudera.org:8080/#/c/4978/1/src/kudu/security/test/mini_kdc-test.cc
File src/kudu/security/test/mini_kdc-test.cc:

Line 47:   ASSERT_OK(kdc.Kinit("bob"));
> Doesn't this contradict your commit description? I thought using a FILE cac
bob overwrites alice here, so alice is no longer kinit'd


-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Patch Set 4:

> The gssapi implementation on macOS uses the system heimdal library.

oh, I see.  Thanks for the clarification.

-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 4
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has submitted this change and it was merged.

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................


Misc. fixes for Kerberos compatibility on OS X

This commit makes a few changes in order to have better compatibility
with the system macOS Heimdal kerberos:

1. krb5kdc now uses UDP instead of TCP; the heimdal client library seems
   to have issues connecting via TCP.
2. The ticket cache is now the default FILE type instead of DIR. This
   has the downside of limiting our MiniKdc to one kinitted user, but
   heimdal apparently has issues with DIR, and FILE is expected to be how
   normal users will use Kerberos.
3. The SASL error string handling is special cased for the Heimdal
   errors on OS X.

sasl_rpc-test is still failing on macOS, but these changes get us a bit
closer to having it pass.

Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Reviewed-on: http://gerrit.cloudera.org:8080/4978
Reviewed-by: Adar Dembo <ad...@cloudera.com>
Tested-by: Kudu Jenkins
---
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_rpc-test.cc
M src/kudu/security/test/mini_kdc-test.cc
M src/kudu/security/test/mini_kdc.cc
M src/kudu/util/test_util.cc
M src/kudu/util/test_util.h
6 files changed, 35 insertions(+), 21 deletions(-)

Approvals:
  Adar Dembo: Looks good to me, approved
  Kudu Jenkins: Verified



-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 4
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>

[kudu-CR] Misc. fixes for Kerberos compatibility on OS X

Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Hello Adar Dembo, Todd Lipcon, Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/4978

to look at the new patch set (#2).

Change subject: Misc. fixes for Kerberos compatibility on OS X
......................................................................

Misc. fixes for Kerberos compatibility on OS X

This commit makes a few changes in order to have better compatibility
with the system macOS Heimdal kerberos:

1. krb5kdc now uses UDP instead of TCP; the heimdal client library seems
   to have issues connecting via TCP.
2. The ticket cache is now the default FILE type instead of DIR. This
   has the downside of limiting our MiniKdc to one kinitted user, but
   heimdal apparently has issues with DIR, and FILE is expected to be how
   normal users will use Kerberos.
3. The SASL error string handling is special cased for the Heimdal
   errors on OS X.

sasl_rpc-test is still failing on macOS, but these changes get us a bit
closer to having it pass.

Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
---
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_rpc-test.cc
M src/kudu/security/test/mini_kdc-test.cc
M src/kudu/security/test/mini_kdc.cc
M src/kudu/util/test_util.cc
M src/kudu/util/test_util.h
6 files changed, 34 insertions(+), 21 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/78/4978/2
-- 
To view, visit http://gerrit.cloudera.org:8080/4978
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I3b61af8cedf83745a5b7a6b806b68912f2655821
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>